By Ross Brewer, VP and MD of international markets, LogRhythm
Not long ago, organisations could install a few firewalls and some anti-virus software, and feel confident that those systems would defend them against any attempted cyber-attacks. A few years down the line and the same cannot be said. Today, IT environments have become far more vulnerable as enterprise mobility, cloud, and BYOx continue to break down the defensible perimeter and add layers of complexity to securing the enterprise.
There subsequently needs to be a shift in the way network security is addressed. On a positive note, organisations are finally acknowledging that traditional defences are inadequate when faced with today’s rapidly evolving threat landscape. That’s not to say that these measures don’t have a role to play in defending networks, however on their own they fail to protect from long-term harm. While the maturity of an organisation’s security can vary dependent on budgets and its own risk tolerances, today’s threat landscape is such that if a hacker wants to get in, they will. What organisations need is a more proactive approach that focuses on detection rather than prevention, specifically ensuring they have full visibility into their networks so that they can detect and mitigate a threat before any damage has been done.
Headlines over the last year indicate that threats can come from anywhere and for any reason. It is therefore important that businesses take a different stance and assume that they will be attacked, and take the necessary precautions to identify these threats as quickly as possible. Worryingly, recent research revealed that nearly half of UK organisations that have suffered a data breach took more than four months to detect a problem, and more than three months to mitigate the risk. This means that their corporate networks were open to the hackers for at least seven months, giving them plenty of time to take what they need. Having a ‘when, not if’ mindset and putting detection tools in place will ensure that any damage is limited, while investigations into a breach can take place much faster and with greater accuracy.
Improving the MTTD & MTTR
Business intelligence has allowed organisations to connect points of seemingly unrelated data to find new opportunities for a number of years. Security intelligence does much the same with threat information, enabling security teams to clearly see any and all threats that matter, so they can respond as quickly and efficiently as possible.
Cyber threats are usually evidenced in underlying forensic data, which consists of the log and machine data being constantly generated by every server, device, application, database, and security system deployed across the IT environment. Additional forensic visibility is achieved by the deployment of targeted forensic sensors that can provide deep visibility across servers, endpoints, and entire networks. Within this massive data set are clear indicators of threats, and unlocking the insight contained within this information is key to identifying those that could cause damage and present actual risk. This is the main objective of security intelligence – to delve into the data to deliver the right information, at the right time, with the appropriate context, to the right people.
There are two key metrics that organisations must consider when evaluating their security posture – the mean time it takes to detect threats (MTTD), and the mean time it takes to respond to threats (MTTR). At present, most organisations operate in a mode where these metrics are measured in weeks or months. It’s therefore not surprising that nearly half of businesses in the UK believe their company should be doing more to improve the time it takes to detect and respond to today’s threats.
Clearly the more time an intruder is permitted to roam the system undetected, the more damage they can do, leaving an organisation increasingly vulnerable. As such, companies seeking to reduce their cyber security risk need to look to security intelligence in order to reduce the time to hours and days and, in an ideal world, minutes. Ultimately, the threat landscape is evolving at a pace that many organisations are struggling to keep up with, so it’s more imperative than ever that they ensure they can minimise the impact of a threat when – in all likelihood – one makes its way onto their network.